DNS Amplification Attacks... and a trivial proposal

Vernon Schryver vjs at rhyolite.com
Sat Jun 15 01:26:04 UTC 2013


> From: Doug Barton <dougb at dougbarton.us>

> > RRL needs only authority and open recursive servers to be updated.
> > The vast majority of DNS installations are closed recursive and stubb
> > servers that do not need RRL.  (A case could be made for RRL on a
> > minority of private recursive servers.)
>
> You're right of course, but unfortunately at least where open resolvers 
> are concerned the same people who operate open resolvers are also those 
> least likely to know what RRL is, or why it's needed; and are also least 
> likely to actually upgrade old software. So a statistically significant 
> percentage of the "long tail" problem is going to apply to those who 
> would provide the most benefit from making the change.

hence my talk about an RPZ black zone of open resolvers that have
been used in reflection attacks, and another RPZ zone of current
attack victims that want TCP for a while.
(I've mentioned serious flaws in both, so don't feel obligated.)


> I could therefore make a pretty strong case that RRL should be on by 
> default, but I realize that's incredibly unlikely to fly. :)

Me too,
but it wouldn't help that long tail of orphans.

Contrary to recent statements and how it might seem to most users,
my spam traps still see open-relayed spam.  Today some got into my
mailbox.  Those long tails never really go away.


> > Other ideas that I like such as DNS cookies would need more widespread
> > changes, which makes enthusiasm for them taxing.
>
> Yeah, that's unfortunate since if it's a good idea it's worth 
> implementing no matter how long it takes to be beneficial. The time will 
> pass either way.

I see less value in DNS cookies when and if BCP 38 is the de defacto
standard.  DNS cookies only assure the DNS server that it is answering
the client, and BCP 38 does cheaper that except on intranets.
DNS Cookies are mostly insurance against the incentives against
BCP 38 never being overcome.
I've heard recent BCP 38 good news, but too little if any of it
is about the long tail of networks with reasons they find compelling
for never doing BCP 38 (or sufficent equivalents).
It would take 10 or 15 years to get DNS cookies on most systems but
we might never get BCP 38.  As you said, an Austrailan law for BCP 38
would fall short, even if Austraila moves faster and more on point on
the first try on BCP 38 than on spam.

I'm waiting for the EU to declare BCP 38 an unlawful privacy violation.
If IP addresses are PII, then the privacy right of anonymity implies
the right to forge IP source addresses.  I don't know if I'm joking.


> Personally I've never understood why RRL wasn't already baked in. 

I've been saying for decades that rate limiting should be on the
IESG checklist for any UDP based protocol.  A year+ ago, Paul said
"Make it so" for BIND9 DNS, and we started hashing out details.


Vernon Schryver    vjs at rhyolite.com


More information about the bind-users mailing list